ScreenShot
| Created | 2023.07.26 17:34 | Machine | s1_win7_x6401 |
| Filename | code.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 51 detected (Common, Cobalt, Malicious, score, GenericKD, unsafe, Vyzx, ABRisk, VBWB, Attribute, HighConfidence, high confidence, jxkbom, BackdoorX, Gencirc, AGEN, Meterpreter, COBEACON, YXDGTZ, Artemis, CobaltStrike, Detected, ai score=81, Chgt, CLOUD, 9+pjKIy, susgen, confidence, 100%) | ||
| md5 | e4efed1ac69b15ff3dfc8024a28eb967 | ||
| sha256 | a92a6d6f59fd04e04c6f911e39219c61eb6013e6db92905796642092dc1ce3d7 | ||
| ssdeep | 3072:V6F1nkPsgo2qtM6ri5ITVTrf3/h/J5BdtEsh:Y3kPQ2qtre5IThrHh/pHEsh | ||
| imphash | a909ce3dc0c1554a6489869514b92d36 | ||
| impfuzzy | 24:HxYXKjDYc+m02thTBgdlJe1l39RPLOovbODtgvlRZHu9oGMhhkbRl:HxYaQc+SthTBgWp363DQg | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Cobalt Strike Beacon Observed
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140011000 VirtualProtect
0x140011008 CreateFileW
0x140011010 HeapReAlloc
0x140011018 HeapSize
0x140011020 QueryPerformanceCounter
0x140011028 QueryPerformanceFrequency
0x140011030 CloseHandle
0x140011038 Sleep
0x140011040 GetCurrentThreadId
0x140011048 FlsAlloc
0x140011050 FlsGetValue
0x140011058 FlsSetValue
0x140011060 FlsFree
0x140011068 InitializeCriticalSectionEx
0x140011070 GetSystemTimeAsFileTime
0x140011078 GetModuleHandleW
0x140011080 GetProcAddress
0x140011088 EnterCriticalSection
0x140011090 LeaveCriticalSection
0x140011098 DeleteCriticalSection
0x1400110a0 RtlCaptureContext
0x1400110a8 RtlLookupFunctionEntry
0x1400110b0 RtlVirtualUnwind
0x1400110b8 UnhandledExceptionFilter
0x1400110c0 SetUnhandledExceptionFilter
0x1400110c8 GetCurrentProcess
0x1400110d0 TerminateProcess
0x1400110d8 IsProcessorFeaturePresent
0x1400110e0 GetCurrentProcessId
0x1400110e8 InitializeSListHead
0x1400110f0 IsDebuggerPresent
0x1400110f8 GetStartupInfoW
0x140011100 RtlUnwindEx
0x140011108 RtlPcToFileHeader
0x140011110 RaiseException
0x140011118 GetLastError
0x140011120 SetLastError
0x140011128 EncodePointer
0x140011130 InitializeCriticalSectionAndSpinCount
0x140011138 TlsAlloc
0x140011140 TlsGetValue
0x140011148 TlsSetValue
0x140011150 TlsFree
0x140011158 FreeLibrary
0x140011160 LoadLibraryExW
0x140011168 GetModuleHandleExW
0x140011170 GetStdHandle
0x140011178 WriteFile
0x140011180 GetModuleFileNameW
0x140011188 ExitProcess
0x140011190 GetCommandLineA
0x140011198 GetCommandLineW
0x1400111a0 CompareStringW
0x1400111a8 LCMapStringW
0x1400111b0 HeapAlloc
0x1400111b8 HeapFree
0x1400111c0 GetFileType
0x1400111c8 SetFilePointerEx
0x1400111d0 FindClose
0x1400111d8 FindFirstFileExW
0x1400111e0 FindNextFileW
0x1400111e8 IsValidCodePage
0x1400111f0 GetACP
0x1400111f8 GetOEMCP
0x140011200 GetCPInfo
0x140011208 MultiByteToWideChar
0x140011210 WideCharToMultiByte
0x140011218 GetEnvironmentStringsW
0x140011220 FreeEnvironmentStringsW
0x140011228 SetEnvironmentVariableW
0x140011230 SetStdHandle
0x140011238 GetStringTypeW
0x140011240 GetProcessHeap
0x140011248 FlushFileBuffers
0x140011250 GetConsoleOutputCP
0x140011258 GetConsoleMode
0x140011260 WriteConsoleW
WINHTTP.dll
0x140011270 WinHttpSetStatusCallback
0x140011278 WinHttpCloseHandle
0x140011280 WinHttpOpen
EAT(Export Address Table) is none
KERNEL32.dll
0x140011000 VirtualProtect
0x140011008 CreateFileW
0x140011010 HeapReAlloc
0x140011018 HeapSize
0x140011020 QueryPerformanceCounter
0x140011028 QueryPerformanceFrequency
0x140011030 CloseHandle
0x140011038 Sleep
0x140011040 GetCurrentThreadId
0x140011048 FlsAlloc
0x140011050 FlsGetValue
0x140011058 FlsSetValue
0x140011060 FlsFree
0x140011068 InitializeCriticalSectionEx
0x140011070 GetSystemTimeAsFileTime
0x140011078 GetModuleHandleW
0x140011080 GetProcAddress
0x140011088 EnterCriticalSection
0x140011090 LeaveCriticalSection
0x140011098 DeleteCriticalSection
0x1400110a0 RtlCaptureContext
0x1400110a8 RtlLookupFunctionEntry
0x1400110b0 RtlVirtualUnwind
0x1400110b8 UnhandledExceptionFilter
0x1400110c0 SetUnhandledExceptionFilter
0x1400110c8 GetCurrentProcess
0x1400110d0 TerminateProcess
0x1400110d8 IsProcessorFeaturePresent
0x1400110e0 GetCurrentProcessId
0x1400110e8 InitializeSListHead
0x1400110f0 IsDebuggerPresent
0x1400110f8 GetStartupInfoW
0x140011100 RtlUnwindEx
0x140011108 RtlPcToFileHeader
0x140011110 RaiseException
0x140011118 GetLastError
0x140011120 SetLastError
0x140011128 EncodePointer
0x140011130 InitializeCriticalSectionAndSpinCount
0x140011138 TlsAlloc
0x140011140 TlsGetValue
0x140011148 TlsSetValue
0x140011150 TlsFree
0x140011158 FreeLibrary
0x140011160 LoadLibraryExW
0x140011168 GetModuleHandleExW
0x140011170 GetStdHandle
0x140011178 WriteFile
0x140011180 GetModuleFileNameW
0x140011188 ExitProcess
0x140011190 GetCommandLineA
0x140011198 GetCommandLineW
0x1400111a0 CompareStringW
0x1400111a8 LCMapStringW
0x1400111b0 HeapAlloc
0x1400111b8 HeapFree
0x1400111c0 GetFileType
0x1400111c8 SetFilePointerEx
0x1400111d0 FindClose
0x1400111d8 FindFirstFileExW
0x1400111e0 FindNextFileW
0x1400111e8 IsValidCodePage
0x1400111f0 GetACP
0x1400111f8 GetOEMCP
0x140011200 GetCPInfo
0x140011208 MultiByteToWideChar
0x140011210 WideCharToMultiByte
0x140011218 GetEnvironmentStringsW
0x140011220 FreeEnvironmentStringsW
0x140011228 SetEnvironmentVariableW
0x140011230 SetStdHandle
0x140011238 GetStringTypeW
0x140011240 GetProcessHeap
0x140011248 FlushFileBuffers
0x140011250 GetConsoleOutputCP
0x140011258 GetConsoleMode
0x140011260 WriteConsoleW
WINHTTP.dll
0x140011270 WinHttpSetStatusCallback
0x140011278 WinHttpCloseHandle
0x140011280 WinHttpOpen
EAT(Export Address Table) is none